[NEWS] Vulnerabilities in Oracle9iAS Web Cache

From: support@securiteam.com
Date: 01/13/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 13 Jan 2002 12:16:09 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Vulnerabilities in Oracle9iAS Web Cache
------------------------------------------------------------------------

SUMMARY

This advisory describes multiple vulnerabilities in Oracle9iAS Web Cache
that allow an attacker with local access to overwrite any files accessible
to the "oracle" user, gain "oracle" user privileges and capture the
password of the Web Cache administrator account.

DETAILS

Vulnerable systems:
Oracle 9iAS version 1.0.2.2.1 (Solaris)

It is possible for non-privileged user to start Web Cache by invoking
$ORACLE_HOME/webcache/bin/webcached and either create or overwrite any
"oracle" owned file as the result of the setuid bit "oracle". By starting
$ORACLE_HOME/webcache/bin/webcached with the "-A" option it is also
possible to run commands as the "oracle" user. This can be achieved by
modification of local environment variables and Web Cache configuration
files.

As part of the functionality offered by Web Cache, it is possible to
locally and remotely administer the Web Cache application. Normally,
access is restricted (a username and password are required). However, the
Web Cache administrator passwords are stored in
$ORACLE_HOME/webcache/webcache.xml and this file is world readable and
contains the "encrypted" password for the administrator accounts. The
encryption is weak and it may also be possible to gain access to the
administrator accounts if the default passwords have not been changed.

Recommendations:
Apply vendor patches.

Vendor status:
The vendor has issued a bulletin and made patches available on this issue.
See:
 <http://otn.oracle.com/deploy/security/pdf/webcache2.pdf>
http://otn.oracle.com/deploy/security/pdf/webcache2.pdf

ADDITIONAL INFORMATION

The information has been provided by
<mailto:mark.rowe@pentest-limited.com> Mark Rowe and
<mailto:pete.finnigan@pentest-limited.com> Pete Finnigan.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages